The UK's data protection watchdog has fined two English council bodies a total of £180,000 after finding they had failed to keep "highly sensitive information" about children secure.
Croydon Council was fined £100,000 after a bag containing papers about a child sex abuse court case was stolen from a social worker in a pub in …

@cornz 1

Re: Once again..

Grubberment department sanctions other grubberment department by moving taxpayers money about. Still be fair, if they didn't do something to use the "fines for loosing stuff" budget it would be cut back the following year.

Re: Re: Re: Once again..

Re: Re: Once again..

....Did you work in the UK, Field Marshal? If so, was it within the last 20 years?

Under UK employment law, you can't be "immediately sacked" for any of the things you mentioned (possibly with the exception of losing the company 100k) as none of them are definable as gross misconduct. Disciplinary action may be invoked in some of those examples, but there are various procedures that must be followed during such action before dismissal can be considered, and then only as a final recourse, just about anything else can be considered as either unfair or constructive dismissal and that gives you a legal case to put before an employment tribunal.

Unless, of course, they had been included as specific clauses in your employment contract and you had voluntarily agreed to them.

Oh, and if you work in a "secure government role", in which case you can certainly be dismissed if you cause a serious breach of security through direct action (but not INaction).

Working from Home?

Clearly you never have worked in Social work...

"WTF was this information doing floating around outside the office anyway"

Well lets see, they could of travelled 200 miles to a meeting or a client which required mountains of paperwork and then god forbid, after a 12 hour day, this personal ,may , just may, wanted something other than a limp sandwich to eat.

If that sound far fectched, trust me it's not, I'm married to a social worker and know about 20 others, and 400 mile round trips are not uncommon.

But I guess your solution would be to get up at 5 am, pick up the documents from the office, drive 200 miles, do the meeting, and then drive back, without any stops (including petrol) and then deposit it straight away back in the office.

Before you say use VC, well good luck getting doctors, police, social workers, health visitors and not forgetting the "clients" all hooked up and working.

But hey you sit on your ass and type away all day while the rest of us live in the real world.

or they could

ship them by their secure courier to the CP unit local to the conference so the chairperson (locally supplied, trust me on that) would keep them in the office safe, return them after via the secure courier.

Just saying

"But hey you sit on your ass and type away all day while the rest of us live in the real world."

In the "Real World" ®, many people that lost that sort of sensitive / personal data would be instantly sacked without compensation.

".. your solution would be to get up at 5 am, pick up the documents from the office, drive 200 miles, do the meeting, and then drive back ..."

Mny people do actually do just that. For 6 months, I drove to places in London (av. 260 miles) and back 5 days a week, leaving home at 5 am and getting home 9 - 10 pm after a full days work.

For 10 years, I was a school governor. In that time, I had to sit on a large number of committees at which social services were required to attend. In that time, about 40% of meetings were wasted because the social worker never turned up, or when they did so, they had the wrong information.

I would also highlight that they were always paid even when they didn't turn up; my colleagues and I didn't even claim expenses. Whilst I do have some sympathy for the work that they do, my view of most social workers is not a positive one. And I would suggest that many others feel the same way from similar experiences.

You can make up as many excuses as you like, but allowing personally sensitive data out of your sight in a public location such as this is a massive herp derp. It's not a one-off, it's a sadly repeated state of affairs across all sectors and it seems no one is learning from these errors because they do not punish the culprits - just our tax.

This information should never have been taken into the pub - lock it in the car after your 400 miles round trip. If we backed up our commercially sensitive data on a public facing blog instead of a secure storage server, we'd be rightly crucified. Leaving written data unattended in a pub is the same thing.

No, but I do carry sensitive data...

I have personal data on my laptop relating to the students I support and I regularly make trips of that kind of distance.

My bag gets placed on the seat next to me, preferably between me and the wall. When that isn't possible, it gets placed between my legs - often with my foot hooked through one of the straps. No-one can get to my bag without seriously invading my personal space in a very noticeable way.

@ac 1224

Re: or they could

What is suggested is a sensible idea. (in lieu of proper secure electronic linkage)

It will not happen

The council officer that suggests using a courier service on a regular basis to move the confidential data, will be volunteered for redundancy at the next round of job cuts, for "wasting money".

Councilors (the elected), are only interested in spending money on vote winning stuff, not data security, which they don't understand anyway.

This goes with the number Data Protection officer posts that have been cut in local authorities, with the role dumped on some other officer as his 3rd or 4th duty responsibility, on top of running whatever department or directorate in the council.

Most data heavy organisations with £300m+ turnover, 5000+ staff, and 400+ business functions, would normally have a full time security manager, however in the average local authority this is just tagged on to the back of somebody's JD.

So if anybody wants appropriate security at your council, go see your counilor, and tell him that unless he gets security sorted you are going to vote for somebody who will. This is the only way to improve the situation.

Re: Re: or they could

@ Despairing Citizen

Agree with everything you say. You speak the truth sir.

It's the same throughout the public sector. I work in IT for the NHS and it's exactly the same here. Thankfully the lower payscale workers (i.e. anyone who isn't senior management or a doctor) now recieves training on data protection issues.

However with inevitable predictability it's the senior managers and doctors, who can't be bothered to turn up because they''re far too important, who are the main culprits of data protection breaches.

I'd love to list off the examples I've seen with my own eyes but again with inevitable predictability the senior managers and doctors concerned walk away totally and utterly scott free while if I were to mention the breaches here and got found out I'd be out on my arse faster than you can say Data Protection Act.

NHS Reform? Yeah, sack half the managers. No one would ever notice. I promise.

Re: Just saying

"In the "Real World" ®, many people that lost that sort of sensitive / personal data would be instantly sacked without compensation."

Err.....no. They may face corrective or disciplinary action, but an INSTANT sacking would be a breach of UK employment law. Also, it is not in the employers power to decide whether they would be "compensation" or not; that will either be a clause in the employment contract or at the discretion of an employment tribunal or court.

"Mny people do actually do just that. For 6 months, I drove to places in London (av. 260 miles) and back 5 days a week, leaving home at 5 am and getting home 9 - 10 pm after a full days work."

If this amount of travel is a requirement of your employment then your employed may be in breach of the EU working directive laws (limiting your working hours to 48 per week, INCLUDING travel times) and possibly also in breach of the UK employment laws which state that an employee must be permitted 11 hours between shifts (defined as a "working period") before being required to return to work.

Folks, there are a lot of knee-jerk "Sack them/I'd be sacked" stuff being posted on this forum; I *strongly* suggest you find out about your employment rights, get a copy of your contract (if you don't have one, you're being illegally employed) and join a union!

Get educated before your employer tramples you in the name of profit or simple expediency.

Re: Re: Just saying

I reckon a lot of employers are in breach of a lot of laws regarding welfare of staff, but they can get us to work for them anyway because we and they know another mug is ready and waiting to earn a crust.

"A-ha! Just do what you're legally obliged to do because you can't be sacked."

Yes, great solution until you end up in an arms race where minor infringments become disciplinary matters instead of informal chit chats until, eventually, you find yourself out of a job having no reference. There's no end of rules and bullshit they can make up if they don't want you there. It's best in most cases just to shut up and take the shafting, or find another job. Not all of us are prepared or so financed that we might drag it through the courts where a 50/50 result awaits at the outcome.

Not really

The councillors would just claim the fine on expenses. Until someone is sacked for an offence like this, attitudes will not change.

Being a data protection officer is not just being registered with the ICO, it is being responsible for protecting data. The managers above the DPO are equally responsible for ensuring that procedures are in place.

In private industry, heads roll when there are data breach screw-ups, it may take time, but someone (not always the right person) is made pay. Why is it that this never happens in the public sector?

Re: Not really

Alas, that, too, is complete bollocks. People just hide behing employment law. If you try to sack someone for being utterly shit at their job and frequently disclosing confidential information they will just claim they were improperly trained and take you to tribunal. It is damn near impossible to sack someone for incompetance these days.

We have a HR manager that frequently miss-uses the Outlook Adress Auto-complete feature to send confidential information to all and sundry - but feck-all ever happens.

Re: Make the fines change the behaviour

Unfortunately "New Liars" got rid of surcharging

and

the Clownservatives got rid of the public body responsible for checking what the elected idiots get up to. (Please note appologies to the roughly 10% to 20% of councilors who do, or attempt to do, a decent job)

Costs Them Nothing

I have said it before, take the fines out of the senior managers salaries, they are supposedly being paid to take the big risks associated with their roles and also in cases like this, fine the actual people who were negligent with the data.

Fining the council, as cornz said, just comes out of the tax payers pocket.

Wrong fine, wrong target

The fines should have been the maximum £500,000 and been direct at the individuals involved, not the council. Only when this starts happening will people start treating sensitive information correctly, until then, they just won't care.

[We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. ]

Please explain this in laymens terms, does he really mean that even though they KNOW in advance that bags may be stolen that they still ACCEPT to allow employees to carry sensitive information within said bags.

Isn't that a little like asking ham fisted morons to deliver loaded guns with faulty triggers. " We know that someone will eventually drop a gun - like all of us - sometimes people just get shot"

If this information is so sensitive why is it being delivered by council employees ?

Worst case scenario should be a signed and tracked delivery.

Better case scenario : the information is retrieved from the council office by the "verifiable" intended recipient.

Best Case Scenario : Well there is none really because a member of "Anonymous" would have already cracked the secure login, hacked the database, distributed the case files to the Sun and then denied everything.

[What like a couple of CD by courier? What happens when it gets lost in the post.]

And just what do you think "tracking" is actually used for.

[Riiighhhhhttttttttt. Hi Mr & Miss Scumbag, No 99 scumbag towers. Any chance you can come to pick up the documents relating to your child protection order.]

Thats exactlly what I have to do when I get a new passport, I have to go myself, with my papers, to the consulate. Where's the problem, I prefer doing that than taking the chance that some numpty loses it in the pub.

[Shheess, some people in IT really live in a fucking bubble.]

Please describe the "fucking bubble", I think you will be surprised to learn that most of us actually do have lifes and are capable of a reasonable amount of rational thought..

What?

We've had couriers lose full 32u racks! Tracked or not tracked they still loose them. I've had a passport lost via courier, so they still get lost.

"Thats exactlly what I have to do when I get a new passport, I have to go myself..."

Right, so getting a new passport is the same a some alcholic, crack addict potentially losing there kids. Yup exactly the same.

As for living in a bubble? Yes we do, just as most other professions do. Ask a Social worker / Doctor / Teacher how good and usuable their IT is and see what answers you get. Hell half the time they have to print the documents because the remote working is so utterly shit, they have little choice.

"As for living in a bubble? Yes we do, just as most other professions do."

I won't disagree with you - "silo mentality" is a big problem in most industries and IT can be one of the worst. Too many IT professionals suffer with delusions of adequacy

"how good and usuable their IT is"

That will depend on a number of factors; all too often people complain that something doesn't work when in fact they don't know how to use it (or what they should be using it for). This is another very common problem, and if I had an answer for you, I would probably be making millions.

"the remote working is so utterly shit"

Remote working is not new, and there are lots of people that use it on a daily basis. We have several sites over the UK and Western Europe, with a number of people working remotely every day. It can be very effective (I was managing an ERP system from a hotel room in another country a month ago) but only if the people using it have been trained.

That doesn't mean that remote working is always going to be ideal - if you are trying to work on a crap broadband connection, or a piss poor wifi, then you will have issues. Equally, if you have a half decent connection, but everyone and his dog is streaming the news / pr0n / last nights footie match on the same connection, it will be a less than stellar experience.

But none of that is an excuse for someone taking sensitive documents into a public place and losing them; and the main issue is that this happens over, and over, again. As many others have pointed out, once again it is the taxpayer that will foot the bill; surely we now have the right to ask why we are having to stump up cash because once again, someone has fouled up?

Remote working

Indeed, my sister managed to use Citrix for many years - and she still thinks the tower is the hard drive (despite my having showed her one, then a few years back her new Acer having to go back within a week because the hard drjve failed, and despite the fact I recently pointed out my external hard drive enclosure to her. On second thoughts, don't get me started about my sister!).

Re: professional courier service

"Why not use professional delivery people, thats why they exist."

Ok, now find a professional courier service.....

I have had lots of problems at a number of organisations, finding a courier service that didn't wreck the engineering drawings being sent off site for scanning. This includes large national and international courier companies.

If it is really that imprortant for secure delivery, then doing it in person is probably the best chance of getting towards 100% success, and at least there is a clear line of responsibility.

PS

the best courier service I ever worked with was a small local firm, they were significantly closer to 100% than the main national carriers.

Sadly

Quite

My first thought on reading this "another set of sensitive info lost in pub" story. Why is anybody taking anything like this into a pub in the first place? Presumably it's a matter of stopping off for a quick drink on the way home rather than going out for the evening carrying your work with you. No harm in that in itself, but if the employee is so desperate for alcohol that it overrides common sense, he shouldn't be employed in a responsible job.

FIRE THE MANAGERS!

Let's face it, this is hardly the first time (this week?) that sensitive personal data has been 'lost' by our glorious overlords. Clearly fining the council is absolutely NO deterrent whatsoever as the only people punished (correct me if I'm wrong here) are the taxpayers.

The only way to make those in charge take this seriously is to publicly fire the morons responsible who repeatedly let this happen. If whoever lost the data has undergone training, bye bye to them, if they haven't, sack the bloody managers whose job it is to make sure everyone knows the rules.

Signing bits of paper saying "Sorry, we won't do it again, honest" is not working!

Local press could have a role

They should mention the fine every single time the write about any cuts to council services, or increases in council charges. Remind us of the amount of the fine, the senior manager responsible. Point out that the cut or price rise would have been unnecessary if they hadn't been fined. Every single time.

You can't realistically fine or fire a senior manager if one of the thousands of workers they are responsible for makes a mistake - nobody would do the job. But they should feel the pressure of a lot of angry voters.

What a nice neighbour

Re: What a nice neighbour

I don't think it said the neighbour reported it to the police. If I received personal confidential mail meant for my neighbour, I'd just pass it on (I wouldn't know what it was anyway). If I found my confidential info had been passed to them, I might well make life difficult for whoever did it.